This invention relates in general to computer networks. In particular, the invention relates to secure ways of distributing software by server computers to client computers over a computer network.
Section A
This relates to a variety of problems such as computer viruses, cleanup of unusable or unwanted programs, and upgrading software that annoy and inconvenience the users of personal computers.
Despite the existence of good programs to detect and remove computer viruses, unscrupulous and adventurous computer programmers frequently try to skirt the virus antidote programs by creating new viruses that are hard to detect or remove. Thus, there is an on-going struggle between the creators of virus programs and the companies that find the antidotes for such viruses. A diligent user of a computer, therefore, must keep abreast of the developments in the computer virus warfare and upgrade to the latest software to detect and eliminate any new virus that may have infected his computer system. An automatic way of upgrading the virus antidote programs would help to ease the burden on the computer user.
Today, there are hundreds of vendors who offer trial versions (xe2x80x9cdemonstration copiesxe2x80x9d) of software as a method of gaining inroads in the market place. A typical computer user may wish to evaluate demonstration copies of software programs by different vendors before making a decision to purchase the best program for a particular use. These demonstration copies, once downloaded and activated, will reside on the computer after any expiration date set therein unless deliberate efforts are made to remove them. Once a demonstration copy has expired, it will not be useful to a computer user and will only take up valuable storage space on the user""s computer. A typical computer user must plod through all directories in the computer to identify the unusable or unwanted computer programs and remove them in a carefull manner. To perform such task manually is not an optimal use of the time of a typical user. Additionally, in a manual cleanup of unusable or unwanted computer programs, there is a danger of deleting critical or useful programs accidentally, thus rendering the computer inoperative. Thus, there has developed a need for an accounting of software that is functional and useful and that which is unusable and merely occupying storage space on the computer.
To overcome some difficulties in removing outdated software programs from a user""s computers, some vendors have started to market software programs like TuneUp(trademark) to perform these tasks automatically. However, because of changes in the releases of operating systems, or the addition of new features, newer versions of such programs are released often. This creates a situation where a user must purchase and upgrade the previous versions of the xe2x80x9ctuneupxe2x80x9d programs. Accordingly, there is a need for an automatic method and system to cleanup a computer storage without the need to purchase newer versions of cleanup software. It is beneficial to a user if such cleanup happens without the user""s intervention, and during the times when the user does not attend to the computer.
Another problem faced by a computer user is prompt notification that a new upgraded version of software is available. In the past, vendors have developed different ways to notify their customers. One method is to place a new advertisement banner indicating a new product or offering on other web sites and lead users to the advertiser""s web site. But not many customers respond to such Internet invitations to click on an advertisement banner. Another way is to post a xe2x80x9cWhat""s Newxe2x80x9d page on a vendor""s web site with links to other pages containing detailed information. This does not work well because this requires users to visit the vendor""s web site periodically looking for new information. A third way is to maintain lists of electronic mail addresses for interested customers and send them e-mail notification periodically. Maintenance of these lists has proved to be tedious. Additionally, many customers object to receiving unsolicited electronic missives.
In order to automatically update information in a personal computer via the Internet, a new technology, called the xe2x80x9cpushxe2x80x9d technology, has emerged. This technology incorporates the broadcasting model into web servers and browsers. The primary purpose of this technology is to overcome the problem of ensuring that interested parties are notified whenever information content in a web site is updated. xe2x80x9cContentxe2x80x9d is distinguished from other kinds of electronic information, such as programs and electronic mail messages in that content is the subject matter contained in a newspaper, a Lexis/Nexis(trademark) database or the like. Content is neither a machine to perform a task nor a structure or description of how data are arranged in a computer. The push technology has helped corporations tailor their sites for particular groups of users so that interesting content is easily located. The push technology also has enabled messages to be sent to the audiences when it was deemed ready for publication. Using push publishing, web site publishers have delivered newsletters to niche audiences or notified subsets of their readers of updated content.
PointCast(trademark) was one of the earliest implementations of the push technology to deliver information content. A user is typically advised to specify the type of contentxe2x80x94news, entertainment, sports, or interest group related informationxe2x80x94to be downloaded as it is updated. When upgraded content is available, the user may elect to download the information which can be browsed locally at the user""s computer. PointCast(trademark), however, is configured only to deliver content to the browser of a computer over the Internet. It is not designed or equipped with the means to download executable programs to a storage device connected to a computer and execute them at the remote computer.
Other products are aimed at delivering executable computer programs to a user computer and executing them locally. Oil Change(trademark) is such a product. Once installed on the user computer, it allows automatic updating of computer programs via the Internet. In the case of Oil Change(trademark), a user can update to new versions of previously purchased and loaded software, or download a new xe2x80x9cpatchxe2x80x9d or a bugfix, device drivers for new peripheral devices, templates, clip art and business forms to work in conjunction with word processing software packages, screen saver images, or the latest amendments to the tax code to work with accounting software packages. Another example of a similar commercially available product is Castane(trademark) from Marimba, Inc. In these systems, a user is required to download executable software programs from the vendor""s web site via the Internet using a variant of a protocol called the File Transfer Protocol (xe2x80x9cftpxe2x80x9d), and manually execute the downloaded programs on the user""s personal computer thereafter. This mechanism is similar to loading software from a store-bought portable storage medium, such as a magnetic tape, a floppy disk or a CD ROM and running the software locally on a user""s computer, except that the program is downloaded from the Internet instead of being loaded from a storage device.
Executing software on a 32-bit personal computer running a Windows-95(copyright)/98(copyright) or NT(copyright) operating system involves registering the software in a data store called Windows Registry. Windows Registry is a configuration data store for both hardware and software. The settings in Windows Registry control the behavior of the software. When a user attempts to execute software on a personal computer equipped with the above-mentioned operating systems, the operating system interprets the user""s attempt and runs the software based exclusively on the information from the Windows Registry. Typically, an entry in Windows(copyright) Registry is made during the installation process of new software on a computer. Vendors of software application programs provide automatic means to ensure proper installation of their programs. If, on the other hand, no entry is made in the Windows(copyright) Registry, the context under which a user used the software is lost. There is a need, therefore, for a system and method to store the information related to the context of software usage without using the Windows(copyright) Registry as a repository of such information.
The programming language Java(trademark) contemplates a virtual machine called the Java Virtual Machine(trademark) (JVM) to run compiled Java(trademark) code and stand-alone programs called xe2x80x9capplets,xe2x80x9d after they are downloaded to a compatible web browser such as the Netscape(copyright) Navigator(trademark), in a tightly controlled and secure environment. The JVM(trademark) is a software implementation of a central processing unit (CPU), an essential component in every computer. Software written in this virtual machine methodology run within a contained environment defined to work only in a browser program and cannot access a client computer""s file system or desktop easily.
Other programming methodologies, such as the Component Object Model (COM) have been developed to overcome this deficiency. However, this does not solve all the problems with delivering executable software to a client computer over the Internet in a form ready to be automatically executed. There is a need, therefore, for a method to encapsulate software as to make it executable automatically upon delivery to the client computer.
Users of personal computers do not wish to entrust access to their computers to an unknown remotely located entity, for fear of losing privacy or causing damage to data stored in their computers. A service offered by a trustworthy source such as McAfee Associates, Inc., a well known vendor of computer security software, will overcome the user reluctance to allowing access of their personal computers to a remote operator.
In summary, the state of the art provides means to deliver components of programs, means to deliver executable programs that must be executed locally by manual intervention, and means to provide content rather than executable programs. This art can be improved by delivering executable software rather than mere components to a personal computer; by allowing a trusted remote operator to access the internal components of a personal computer; and by executing programs automatically from a remote location. There is a need, for example, for a system and method in which when a user connects with a web site, an application may be downloaded, installed, registered and executed without any further intervention on the part of the user.
Section B
The public data networks, collectively called the Internet and colloquially referred to as the Web, are becoming increasingly popular. Among other things, the Internet provides a communication medium to distribute software products to computers that are located at distant places. The numerous methods by which sellers of computer software programs deliver executable programs automatically to client computers owned or operated by users are described herein and in the parent application, the disclosure of which is hereby incorporated by reference.
To understand the invention, it is helpful to understand the distinctions among the terms content, browser, type-setting program, embedded object and script. These five types of entities are described below in the context of Internet-related software.
Content is the subject matter contained in a web page. Content is distinguished from the other entities described herein in that content is not a program; it is the data that is presented to a user.
A web browser, or simply, a browser, is a computer program that provides access to the vast resources of the Internet. Typically, this is done by providing a xe2x80x9cwindowxe2x80x9d to the data located on other computers connected to the Internet. A frame is a part or section of a browser window that contains a distinct display area. If a web page is defined to contain multiple frames, each frame can act as an independent display area, and can download web pages located at different web sites, while displaying them together in one window on a browser. Alternatively, a web page may cause multiple browser windows to be created on the user""s computer. A browser can also be described as a xe2x80x9ccontainerxe2x80x9d of the various components it displays. Thus, while the components are embedded in a browser, the browser envelops the components.
In general, in a window-based computer system, such as the Windows(trademark) 98(trademark) program marketed by the Microsoft Corporation, windows are arranged hierarchically. A browser program that executes on a window-based computer system is also arranged hierarchically. When a browser application is launched on a windows-based computer system, the first window that appears is called xe2x80x9cparent windowxe2x80x9d or xe2x80x9cmain windowxe2x80x9d or xe2x80x9ctop-levelxe2x80x9d window. This top-level window can later xe2x80x9cspawnxe2x80x9d or xe2x80x9cforkxe2x80x9d other windows, which are called xe2x80x9csub-windowsxe2x80x9d that run other applications. A sub-window may be created by executing a script within a browser window, and may be programmed to run another instance of a browser program. In such cases, the sub-window is called an xe2x80x9copenerxe2x80x9d window. Thus, it may be the case that a first window running a browser programxe2x80x94a top-level windowxe2x80x94is programmed to point to a web site, and a sub-window created from the same browser program is programmed to point to a different web site.
A type-setting program is a presentation program, typically written in the Hyper Text Markup Language (HTML). In an HTML-encoded program, content is surrounded by codes that indicate the manner in which the browser presents the content to a user. Additionally, HTML encodes certain devices called xe2x80x9clinksxe2x80x9d that allow a user to xe2x80x9cnavigatexe2x80x9d the web by simply clicking on a sensitive area of the web page.
A document that contains xe2x80x9cobjectsxe2x80x9d or xe2x80x9ccomponentsxe2x80x9d like graphics, audio or video files, or charts in addition to text is called an embedded document object. Several competing standards exist in the marketplace for documents that can be transmitted over the Internet and displayed in a browser. For example, two such standards are OpenDoc, promoted by the International Business Machines Corporation and Object Linking and Embedding (OLE), promoted by the Microsoft Corporation. Typically, these standards provide for an application programming interface (API) that allows an independent software vendor (ISV) to develop applications that deliver components via the Internet. An API generally allows a programmer to interact with an enveloping browser. For example, a programmer may seek to determine the precise configuration of the browser by reading the values of its internal parameters. Alternatively, a programmer may wish to adapt the browser to a desired configuration by appropriately setting the browser""s parameters.
Finally, a script is a list of computer-executable instructions, typically written in a human-readable language. Some browsers are configured to execute instructions written in script languages. In such browsers, an analog of a Central Processor Unit (CPU)xe2x80x94which is an essential component of all modern computersxe2x80x94is defined within the software contained in the browser. This software-defined CPU executes the scripts within the browser environment. For example, JavaScript(trademark) is a language in which a programmer can code in a human-readable set of instructions that can be executed within the browser environment. In this case, the browser is said to be a xe2x80x9ccontainerxe2x80x9d object to execute the script within its bounds.
Referring now to the parent application, to achieve the objective stated therein, a web browser program running on a client computer must be able to access the inner workings of the client computer. This can be achieved with the help of the OLE document object technology. The OLE technology is a xe2x80x9csystem-level object architecture that includes services for all-inclusive data access, remote distribution of software components across heterogeneous platforms, robust transaction processing, and large-group development.xe2x80x9d ActiveX(trademark) technology, developed by the Microsoft Corporation, of Redmond, Wash., uses the OLE architecture and provides the building blocks that enable a provider to distribute over a network software executables that can be executed on a client machine. In general, such distribution of software executables is done via a web browser as described in the parent application. Typically, this execution on a client machine is done when a page source is input to it by invoking certain scripts embedded in the web browser. The downloaded software components are called ActiveX(trademark) controls, which are computer executable pieces of program code. One feature of ActiveX(trademark) controls is that they have no restrictions placed on them once they reach a user""s machine. For example, a programmer may write an ActiveX(trademark) control that, upon downloading to a user""s computer, can shut down the computer or reformat its hard drive thereby destroying all data stored on the computer. This creates an easy way for malicious programs such as viruses to reach the client computer and be executed without the user""s notice.
To overcome these security problems, the Microsoft Corporation requires all ActiveX(trademark) controls to be verified by a signature initiative called Authenticode. This verification works in the following way. Each ActiveX(trademark) control is given a secure and encrypted digital signature by a trusted corporation. All browsers that allow download and execution of ActiveX controls are pre-programmed to verify the digital signature. Every time an ActiveX(trademark) control is about to be downloaded, the browser examines the digital signature associated with the control. If the signature is verified as authentic by the browser, it is downloaded without any problems. Otherwise, the browser issues a warning message to the user.
As explained in the parent application, the invention described therein uses some of the features of a programming methodology exemplified by ActiveX(trademark) to effect easy and xe2x80x9chands-freexe2x80x9d automatic downloading of software executables to a user""s computer without any action taken on the part of the user. While the invented method and system help achieve the stated ends, a security threat may be created because of the above-mentioned feature of the ActiveX-like technologies that allows unrestricted access by the embedded code to a user""s computer.
Because computers today are interconnected by networks such as the Internet, computer security has become a more important issue than before. Today, computers are more prone to attacks by viruses and Trojan Horses. A virus is a piece of computer code that replicates itself without a user""s intervention. Left unchecked, a virus may copy itself stealthily to other computers and corrupt the data stored in storage devices connected to the computers. For example, a virus may rewrite a section of a computer start-up program called the xe2x80x9cboot sectorxe2x80x9d. Every time a computer is started, the virus copies itself into the memory of the computer and waits. Suppose a user wishes to copy some data from the computer to a portable medium such as a floppy disk. The virus that has copied itself to the memory could be programmed to intercept the writing of the data to the disk and copy itself to the disk along with the data. In this manner, the virus has replicated itself to the floppy disk and is now ready to infect other computers where the floppy disk is used.
In contrast to a computer virus, a xe2x80x9cTrojan Horsexe2x80x9d is a malicious computer program thatxe2x80x94like the fabled instrument of war used by ancient Greeks to gain entry into Troyxe2x80x94causes a user to believe that it is a legitimate program and entices the user operating a computer to perform certain actions that lead to compromising the security of the data stored in the computer.
Referring back to the parent application, assume that in accordance with the invention described therein, an Internet Clinical Services Provider (ICSP) downloads a software program called QuickClean(trademark), designed to xe2x80x9ccleanupxe2x80x9d the user""s hard drive. In accordance with the above-mentioned ActiveX(trademark) Authenticode initiative, a license file is delivered to the user along with the QuickClean program. This software is designed with embedded methods or sub-routines that, when invoked properly using a script, rid the user computer of unwanted or unused software in an orderly manner. However, since these methods or sub-routines for removing unwanted or unused software are invoked by a script, a malicious user can also invoke the script in such a way as to remove desirable or valuable software, thereby causing severe damage to the user""s computer. Moreover, a malicious user may also attempt to secretly transfer the contents of a user""s computer by e-mailing these to his own computer. In the computer security lingo, such a malicious user or programmer is called a computer xe2x80x9chacker.xe2x80x9d The above-mentioned malicious act, called computer xe2x80x9chacking,xe2x80x9d can be accomplished in two ways.
In accordance with a first way of hacking, a hacker obtains a legitimate copy of QuickClean(trademark) and its associated license file from the ICSP. The hacker can then create his own web site and host both QuickClean(trademark) and the associated Authenticode license file on his web site and invite others to use the xe2x80x9cfreexe2x80x9d software. The hacker creates a web page on his web site that contains a malicious script that will use the methods or sub-routines in the QuickClean(trademark) program to erase a user""s hard disk. When a user, enticed by the xe2x80x9cfreexe2x80x9d software downloads the web page from the hacker""s web site, the hacker will download the QuickClean(trademark) program to the user""s computer and invoke the methods in the program to erase the user""s hard disk. Alternatively, suppose a user visits an authorized ICSP web site first and downloads the QuickClean(trademark) program along with the associated Authenticode license file. Later, the user visits the hacker""s web site. Since the QuickClean(trademark) program is already stored on the user""s computer, the hacker does not need to obtain a legitimate copy to wreak havoc on a user""s computer by providing a script to invoke the sub-routines embedded ib the QuickClean(trademark) program.
In accordance with a second way of hacking, a hacker may entice an unsuspecting user to visit his web site. The hacker may program his web pages to invoke multiple frames or multiple browser windows. In one frame or browser window, the hacker can cause the user computer to download the QuickClean(trademark) program and the associated license file from the ICSP web site. In a second frame or browser window, the hacker can run his malicious script, thereby causing damage as described above.
There is a need, therefore, for a system and method to prevent a hacker from activating the methods or sub-routines embedded in a computer executable code downloaded to a user computer via the web.
The foregoing problems in Section A of the Background of the Invention are overcome in an illustrative embodiment of the invention in a network computing environment in which a server computer is programmed to download an application to a user computer across a network and to execute the application on the user computer.
In one aspect of the present invention, the server computer receives a request in the form of a data packet from the user computer, whereupon the server computer causes a first web page image to be displayed on the user computer via a browser program running on the user computer. If the user inputs identification and a secure password in the first web page and transmits the first web page to the server computer, the server computer authenticates the user information and opens a secure connection with the user computer. The server computer thereupon, with no additional input from the user, searches the user computer for pre-designated executable software, and if such software is not found or is found to be outdated, downloads to the user computer said software or upgrades to such software. Finally, the server computer causes the software to be executed on the user computer.
In another aspect of the invention, the server computer stores user information received during an initial registration process and verifies the user information when a user requests the services of the server computer via the first web page.
In another aspect of the present invention, the server computer is programmed to generate periodic reports of user activity, and coupled with information stored in a billing database connected to the server computer, generates invoices to be sent to the user via email, fax or some other means. In a yet another aspect of the invention, the server computer is programmed to generate statistical summary reports of usage patterns for all users on a periodic or on-demand basis, said summary reports generated in textual form, graphical form or electronic form to be displayed on or transmitted to another computer.
With respect to the problems of Section B of the Background of the Invention, the present invention provides a method to verify a downloaded software object so that the software object is executed only if it is downloaded by an authorized entity. Accordingly, the invention comprises a software program that is downloaded to a client computer by a server computer and is programmed to execute on the client computer only if it is enabled to do so. In a preferred embodiment of the invention, a computer-executable program code first determines the URL to which a browser running on the client computer is pointed and enables the downloaded software program only if the URL to which the browser is pointed is an authorized URL.
In another aspect of the invention, the determination of the URL to which the browser is pointed is made by verifying the URL pertaining to the xe2x80x9ctop-levelxe2x80x9d window of the browser. In a yet another aspect, the determination is made by verifying the URL pertaining to the xe2x80x9copenerxe2x80x9d window of the browser.